On Thu, 11 Jun 2026 16:41:43 +0000
Anders ?stling via samba <samba at lists.samba.org> wrote:
> I am trying to write a script that records logons, but sees two
> different "types" of logons. I know what Kerberos but wonders why
> some users logons are recorded as "Kerberos pre-auth" while other
are
> NTLMv2 logons. Both clients in this example are Windows 11 domain
> clients.
>
> Auth: [SamLogon,network] user [HPL]\[katarina] at [Thu, 11 Jun 2026
> 10:25:57.914307 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
> [HP-PC21X64] remote host [ipv4:10.0.2.10:54298] became
> [HPL]\[katarina] [S-1-5-21-687474044-2168480911-1327640110-2125].
> local host [ipv4:10.0.2.15:49152] NETLOGON computer [HP-SRV02] trust
> account [HP-SRV02$]
>
> and
>
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[eva at HPLTS.SE] at [Thu, 11 Jun 2026 16:21:36.156780 CEST]
> with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
> [(null)] remote host [ipv4:10.0.2.82:64999] became [HPL]\[eva]
> [S-1-5-21-687474044-2168480911-1327640110-1126]. local host [NULL]
>
> I can of course script this as a loop to search for both types, but
> it would be interesting to learn why this is like this.
>
>
Kerberos requires names to work, so it is possible that one is
connecting via an ipaddress and using NTLM and the other is using dns
names and gets to use kerberos.
Rowland